kern/55568: DUMP has access to block devices in a JAIL

[mjoyner]

>Number:         55568
>Category:       kern
>Synopsis:       DUMP can be used in JAIL
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 13 18:10:18 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     System Administrator
>Release:        FreeBSD 5.1-RELEASE i386
>Organization:
>Environment:
System: FreeBSD eadmin.dyns.net 5.1-RELEASE FreeBSD 5.1-RELEASE #0: Mon
Aug 11 15:5
3:58 EDT 2003
sysadmin at eadmin.dyns.net:/usr/src/sys/i386/compile/kernel.build.conf
i386


>Description:

         A jailed root user can use DUMP and gain a snapshot of the
entire disk.
         From there the jailed root user can restore files from the HOST
SYSTEM
         or any other jails at their leisure.

         Even if DEVFS is not mounted, a root user could possibly create a
         device node anyways, and one needs TTYS anyways.

         Some sort of check is not occurring in the disk access code that
         is needed to prevent JAILED users ANY raw access to the disk.

>How-To-Repeat:
         Run DUMP in a jailed environment.

>Fix:
         Add security checks on device access to prevent jailed users
         from gaining access to things they don't need access to.

         If this is a setting which can be changed, the default behavior
         needs to be more security conscious, or at least very very very
         clearly documented.


>Release-Note:
>Audit-Trail:
>Unformatted: